Charlie Miller: 'Difficult to write exploits' for Android 4.1

Android 4.1 Jelly Bean is the most secure version yet. Android now fully implements Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Unfortunately, most Android users will never get to use Jelly Bean on their device.

The latest version of Google's mobile operating system, Android 4.1 (Jelly Bean), significantly beefs up the platform's security. Jelly Bean includes several new exploit mitigations as well as full implementation of Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). At least one famous hacker thinks this will finally make Android much harder to attack.

"As long as there's anything that's not randomized, then it (ASLR) doesn't work, because as long as the attacker knows something is in the same spot, they can use that to break out of everything else," Charlie Miller, a security researcher famous for publicly hacking Apple products, told Ars Technica. "Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it's going to be pretty difficult to write exploits for that."

ASLR randomizes the memory locations of key data areas, including the base of the executable and position of libraries, heap, and stack, in a process's address space. DEP prevents an application or service from executing code from a non-executable memory region. The goal is to stop hackers who exploit memory corruption bugs. Since they don't know in advance where their malicious payloads will be loaded, they cannot be so easily executed, and since other parts of the memory can't be leveraged, exploits that store code via a buffer overflow can also be blocked.

Google first included ASLR support in Android 4.0 (Ice Cream Sandwich), but only partially. The ASLR support in Android 4.0 only randomized certain key locations, leaving other key parts of the Android operating system memory space as a predictable space to attackers.

Security researcher Jon Oberheide was the first to note the change between Android 4.0 and Android 4.1 over on The Duo Bulletin:

As we mentioned in our previous post on Android ASLR, the executable mapping in the process address space was not randomized in Ice Cream Sandwich, making ROP-style attacks possible using the whole executable as a source of gadgets. In Jelly Bean, most binaries are now compiled/linked with the PIE flag (commits for the linker, ARM and x86), which means the executable mapping will be properly randomized when executed.

The custom Android linker was the last piece of the ASLR puzzle that was not randomized in Ice Cream Sandwich. In Jelly Bean, the linker is now randomized in the process address space. This means that the deficiencies in ICS pointed out in our previous blog post have all been addressed in Jelly Bean, giving it full stack, heap/brk, lib/mmap, linker, and executable ASLR.

All in all, this is great news, but it comes with one massive gotcha. Google still hasn't shown any desire to get its massive userbase onto the latest version of Android. As such, until most Android users are running Jelly Bean or later, this won't be a new feature that most people will be able to enjoy.